Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

**CVE-2026-4020** — A REST API permission flaw in the Gravity SMTP WordPress plugin can return the full system report (including API keys, tokens, and configuration) to unauthenticated callers; Wordfence has observed active exploitation (over 17 million blocked requests) and a patch is available in version 2.1.5 — site owners should update immediately and rotate exposed credentials.